The ICO exists to empower you through information.

16 April 2024

Overall rating

Your overall rating was red.

  • 26: Not yet implemented or planned
  • 0: Partially implemented or planned
  • 5: Successfully implemented
  • 0: Not applicable

RED: not implemented or planned

Your business has conducted an information audit to map data flows.

 

Suggested actions

You should:

  • organise an information audit across your business or within particular business areas to identify the data that you process and how it flows into, through and out of your business;
  • ensure this is conducted by someone with in-depth knowledge of your working practices; and
  • identify and document any risks you have found, for example in a risk register.

Guidance

Your business has documented what personal data you hold, where it came from, who you share it with and what you do with it.

 

Suggested actions

You should:

  • maintain records of processing activities detailing what personal data you hold, where it came from, who you share it with and what you do with it. This will vary depending on the size of your business;
  • consider using an information asset register to do this; and
  • ensure you have procedures to guide staff on how to manage information you hold.

Guidance

 

Your business has identified your lawful bases for processing and documented them.

 

Suggested actions

You should:

  • look at the various types of data processing you carry out;
  • identify your lawful bases for carrying it out; and
  • document it, for example in your privacy information.

Guidance

Your business has reviewed how you ask for and record consent.

 

Suggested actions

You should:

  • Check that consent is the most appropriate lawful bases for processing.
  • Make the request for consent prominent and separate from your terms and conditions.
  • Ask individuals to positively opt in.
  • Use unticked opt-in boxes or similar active opt-in methods.
  • Use clear, plain language that is easy to understand.
  • Specify why you want the data and what you’re going to do with it.
  • Give granular options to allow individuals to consent separately to different types of processing wherever appropriate.
  • Name your business and any specific third party organisations who will rely on this consent.
  • Tell individuals they can withdraw consent at any time and how to do this.
  • Ensure that individuals can refuse to consent without detriment.
  • Don’t make consent a precondition of service.

Guidance

Your business has systems to record and manage ongoing consent.

 

Suggested actions

You should:

  • Keep a record of when and how you got consent from the individual.
  • Keep a record of exactly what they are told at the time.
  • Regularly review consent to check that the relationship, processing and the purposes have not changed.
  • Have processes in place to refresh consent at appropriate intervals, including any parental consents.
  • Consider using privacy dashboards or other preference management tools as a matter of good practice.
  • Make it easy for individuals to withdraw their consent at any time and publicise how to do so.
  • Act on withdrawals of consent as soon as you can.
  • Don’t penalise individuals who wish to withdraw consent.

If current consent don’t meet the UK GDPR’s high standards or is poorly documented, you will need to;

  • seek fresh UK GDPR-compliant consent; or
  • identify a different lawful bases for your processing (and ensure continued processing is fair); or
  • stop the processing.

Guidance

If your business relies on consent to offer online services directly to children, you have systems in place to manage it.

 

Suggested actions

You should:

  • identify the most appropriate lawful basis for the processing;
  • document it;
  • if relying on consent to offer online services to children, have a process to verify that the child is old enough to provide consent themselves (aged 13 or over); and
  • obtain parental or guardian’s consent or authority for children under 13 if you want to rely on consent as the lawful basis for your processing (unless the online services are for preventive or counselling purposes).

Guidance

If you may be required to process data to protect the vital interests of an individual, your business has clearly documented  the circumstances where it will be relevant. Your business documents your justification for relying on this basis and informs individuals where necessary.

 

Suggested actions

You should:

  • ensure guidance is available for staff on the circumstances where they need to use this lawful basis for processing;
  • review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future; and then
  • document where you rely on this basis and inform individuals if relevant.                                       

Guidance

If you are relying on legitimate interests as the lawful basis for processing, your business has applied the three part test and can demonstrate you have fully considered and protected individual’s rights and interests.

 

Suggested actions

You should:

  • conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that you can justify your decision;
  • if your LIA identifies significant risks, consider whether you need to do a data protection impact assessment (DPIA) to assess the risk and potential mitigation in more detail;
  • keep your LIA under review, and repeat it if circumstances change; and
  • include information about your legitimate interests in your privacy information.

Guidance

Guide to the UK GDPR – Legitimate interests, ICO website

Your business has paid the data protection fee to the Information Commissioner's Office.

 

Suggested actions

You should:

  • continue to register with the ICO, if your annual registration is due before May 2018; and then
  • following May 2018, or when your current annual registration expires, refer to our guidance to determine what you need to pay.

Guidance

Your business has made privacy information readily available to individuals.

 

Suggested actions

The information you provide should:

  • let individuals know who you are, why you are processing their data and who you share it with;
  • be concise and to the point;
  • be easy to understand;
  • be clearly signposted and easy to access;
  • be written in clear and plain language, particularly if addressed to a child;
  • be free of charge;
  • include different information depending on whether you obtained the data directly from the individual or not; and
  • be reviewed regularly to make sure it remains accurate and up to date.                                                                                         

Guidance

Your business communicates privacy information in a way that a child will understand.

 

Suggested actions

You should ensure the information you provide is:

  • concise, transparent, intelligible and easily accessible;
  • written in clear and plain language that can be understood by a child (age appropriate);
  • explains the risks involved in the processing and the safeguards you have put in place;
  • free of charge; and
  • reviewed regularly to make sure it remains accurate and up to date.

Guidance

Guide to UK GDPR - Children, ICO website

Your business has established a process to recognise and respond to individuals' requests to access their personal data.

 

Suggested actions

You should:

  • ensure a process is in place to allow you to recognise and respond to any requests for personal data within the timescales ;
  • establish a policy on how to record any requests you receive verbally;
  • include right of access  procedures within your data protection policy;
  • provide awareness training to all staff and specialist training to individuals who deal with any requests; and
  • consider if you can provide remote access to a secure self-service system to provide the information directly to an individual in response to a request (this will not be appropriate for all organisations, but there are some sectors where this may work well).

Guidance

Guide to UK GDPR - Right of access, ICO website

Your business has processes in place to ensure that the personal data you hold remains accurate and up to date.

 

Suggested actions

You should:

  • implement procedures to allow individuals to challenge the accuracy of the information you hold about them and have it corrected if necessary;
  • establish a policy about how to record any requests you receive verbally;
  • introduce appropriate systems to rectify or complete information, or allow individuals to provide a supplementary statement;
  • have procedures to inform other organisations you have disclosed the information to of the rectification where possible;
  • create records management policies, with rules for creating and keeping records (including emails);
  • conduct regular data quality reviews of systems and manual records you hold to ensure the information continues to be adequate for the purposes of processing (for which it was collected);
  • regularly review information to identify when you need to correct inaccurate records, remove irrelevant ones and update out-of-date ones; and
  • promote and feedback any data quality trends to staff through ongoing awareness campaigns and internal training.

Guidance

Guide to UK GDPR - Right to rectification, ICO website

Your business has a process to securely dispose of personal data that is no longer required or where an individual has asked for it to be erased.

 

Suggested actions

You should:

  • have procedures in place that allow individuals to request the deletion or erasure of information  you hold about them if there is no compelling reason for you to continue processing it;
  • establish a policy on how you record any requests you receive verbally;
  • have procedures to inform any other organisations you have shared the information with about the request for erasure;
  • introduce procedures, if the data has been made public in an online environment, to inform other controllers who are processing the personal data to erase links to, copies or replication of that data;
  • have procedures to delete information from any back-up systems;
  • implement a written retention policy or schedule to remind you when to dispose of various categories of data, and help you plan for its secure disposal;
  • regularly review the retention schedule to make sure it continues to meet business and statutory requirements;
  • assign responsibility for retention and disposal to an appropriate person;
  • have appropriate methods of destruction in place to prevent disclosure of personal data prior to, during and after disposal; and
  • if you use third parties to dispose of personal data ensure the contract includes the requirement for them to have appropriate security measures and the facility to allow you to undertake an audit.

Guidance

Your business has procedures to respond to an individual’s request to restrict the processing of their personal data.

 

Suggested actions

You should:

  • review your procedures to determine where you may be required to restrict the processing of personal data;
  • implement a process that enables individuals to submit a request to you; have a process to act on an individual’s request to block or restrict the processing of their personal data;
  • establish a policy on how to record any requests you receive verbally;
  • have procedures to inform any other organisations you have shared the information with, if possible; and
  • inform individuals when you decide to lift a restriction on processing.

Guidance

Guide to UK GDPR - Right to restrict processing, ICO website

Your business has processes to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability.

 

Suggested actions

You should:

  • implement a process that will enable individuals to submit a request to you;
  • establish a policy on how you record any requests you receive verbally;
  • have a process to allow you to recognise and respond to any individual requests in line with your legal obligations and statutory timescales;
  • provide the personal data in a structured, commonly used and machine readable format;
  • ensure that the medium in which you provide the data has appropriate technical measures in place to protect the data it contains; and
  • ensure that the medium in which you provide the data allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance.

Guidance

Guide to UK GDPR - right to data portability, ICO website

Your business has procedures to handle an individual’s objection to the processing of their personal data.

 

Suggested actions

You should:

  • review your processes and privacy information to ensure you inform individuals of their right to object “at the point of first communication”. You should display or give this information clearly and separately from any other information;
  • implement a process that will enable individuals to submit an objection request (this could include an online option);
  • provide training or raise awareness amongst your staff to ensure they are able to recognise and respond (or know where to refer the request to) to an objection raised by an individual;
  • establish a policy on how to record any objections you receive verbally; have procedures in place to consider the individual’s objection to the processing of their personal data and record the outcome;
  • have processes to demonstrate, where appropriate, your reasons to continue with the processing, based on the compelling legitimate grounds outlined within the UK GDPR; and
  • inform individuals of the outcome of their objection.

Guidance

Guide to the UK GDPR – Right to object, ICO website

Your business has an appropriate data protection policy.

 

Suggested actions

You should have a standalone policy statement or general staff policy that:

  • sets out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance;
  • aligns with and covers the measures within this checklist as a minimum;
  • management approve and you publish and communicate to all staff; and
  • you review and update at planned intervals or when required to ensure it remains relevant.

Guidance

Get safe online website

Policy examples and templates are widely available online.

Your business monitors its own compliance with data protection policies and regularly reviews the effectiveness of data handling and security controls.

 

Suggested actions

You should:

  • establish a process to monitor compliance to the policies;
  • regularly test the measures that are detailed within the policies to provide assurances that they continue to be effective;
  • ensure that responsibility for monitoring compliance with the policies is independent of the persons implementing the policy, to allow the monitoring to be unbiased; and
  • report any results to senior management.

Your business has a written contract with any processors you use.

 

Suggested actions

You should:

  • ensure that you have a written contract in place whenever you use a processor (a natural or legal person or organisation which processes personal data on your behalf);
  • check both new and existing contracts in force include certain specific terms, as a minimum, to ensure that data processing meets the requirements of the GDPR;.
  • outline in the contract the technical and organisational arrangements the processor must have in place;
  • include arrangements for security of processing, keeping records of processing activities, and notification of data breaches;
  • refer to the ICO guidance (link below) to clarify responsibilities and liabilities, and to help you draft new contracts and amend existing ones. Please note that this guidance may be subject to change as our formal GDPR guidance evolves, so look out for publication of new ICO guidance.

Guidance

Guide to the UK GDPR – Contracts, ICO website

Your business manages information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.

 

Suggested actions

You should:

  • have a clearly communicated set of security policies and procedures, which reflect business objectives and assign responsibilities to support good information risk management;
  • ensure that you have processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and information (risk register); and
  • apply controls to mitigate the risks you’ve identified within agreed appetites and regularly test these controls to ensure they remain effective.

Guidance

The National Archives have produced some guidance on information risk management.

Your business understands when you must conduct a DPIA and has processes in place to action this.

 

Suggested actions

You should:

  • establish a policy which sets out when you should conduct a DPIA, who will authorise it and how it will be incorporated into the overall project plan. A DPIA screening process may be a useful tool in determining whether a DPIA is required;
  • assign responsibility for completing DPIAs to a member of staff who has sufficient control over the project to effect change eg Project Lead/Manager;
  • where a DPIA is required, ensure you complete the process before beginning the project;
  • ensure your process for completing a DPIA includes consultation with the DPO/ data protection lead, data processors, third party contractors and with the public/their representatives in most cases;
  • ensure the information contained within the DPIA complies with the requirements under the UK GDPR and that you detail the results within a report;
  • where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, ensure your business consults with the ICO prior to commencing processing.

Guidance

Guide to UK GDPR - Data protection impact assessment, ICO website

Your business has a DPIA framework which links to your existing risk management and project management processes.

 

Suggested actions

You should:

  • review your existing risk and project management processes and ensure there is consistency and links with your DPIA processes in place;
  • drive awareness of DPIAs across your business, and particularly amongst risk and project teams so that they understand the requirements; and
  • ensure DPIA documentation is readily available for staff to use and that you have trained them on how to conduct the assessment.

Guidance

Guide to UK GDPR - Data protection impact assessment, ICO website

Where required, your business has appointed a DPO. In other cases, you have nominated a data protection lead.

 

Suggested actions

You should:

  • designate responsibility for data protection compliance to a suitable individual;
  • support the appointed individual through provision of appropriate training;
  • ensure there are appropriate reporting mechanisms in place between the individual responsible for data protection compliance and senior management;
  • register the details of your DPO with the ICO; and
  • document the internal analysis carried out to determine whether or not a DPO is to be appointed, unless it is obvious that your organisation is not required to designate a DPO.

Guidance

Guide to the UK GDPR - Data protection officers, ICO website

Decision makers and key people in your business demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business.

 

Suggested actions

You should:

  • clearly set out your business’s approach to data protection and assign management responsibilities;
  • ensure you have a policy framework and information governance strategy in place to support a positive data protection and security culture which has been endorsed by management;
  • assess and identify areas that could cause data protection or security compliance problems and record these on your business's risk register;
  • deliver training which encourages personal responsibility and good security behaviours; and
  • run regular general awareness campaigns across your business to educate staff on their data protection and security responsibilities and promote data protection and security awareness and compliance.

Guidance

Think Privacy training, ICO website

Your business ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the United Kingdom.

 

Suggested actions

You should:

  • ensure that any data you transfer outside the UK complies with the conditions for transfer set out in Chapter V of the UK GDPR;
  • ensure that you have adequate safeguards and data security in place, that is documented in a written contract using standard data protection contract clauses; and
  • implement measures to audit any documented security arrangements on a periodic basis.

Guidance

Guide to UK GDPR - International transfers, ICO website

GREEN: successfully implemented

Your business has identified whether any of your processing operations constitute automated decision making under Article 22 of the UK GDPR and has procedures in place to deal with the requirements.

Your business provides data protection awareness training for all staff. 

Your business has implemented appropriate technical and organisational measures to integrate data protection into your processing activities.

Your business has an information security policy supported by appropriate security measures.

Your business has effective processes to identify, report, manage and resolve any personal data breaches.

You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.

Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.

The survey should take around three minutes to complete.